Troldesh

27
Global rank
51
Month rank
47
Week rank
40
IOCs

Troldesh is ransomware — a malware that demands a payment in order to unlock encrypted files. It is also can search and steal information from the banking programs if such are found on the infected machine.

Ransomware
Type
Unknown
Origin
1 January, 2014
First seen
22 April, 2023
Last seen
Also known as
Encoder.858

How to analyze Troldesh with ANY.RUN

Ransomware
Type
Unknown
Origin
1 January, 2014
First seen
22 April, 2023
Last seen

IOCs

IP addresses
104.16.154.36
104.16.155.36
192.168.100.154
66.171.248.178
192.168.100.172
192.168.100.62
192.168.100.180
192.168.100.176
192.168.100.131
Hashes
448e299e8b9a9fe5e4c89b5192aa3034be37588366172ceba7db9f5816d18523
c02153dce99eb8730806cfe19a3f29e3d4e3fad796f4eb15962b74fb2e55fe47
47f31bc89c7581bb0483e01e15695e1f75ee4236f00142ff720f8f8138fb93eb
62230c1651781d4ab7234fe6d747dc6cc79c1381f4ee15a84cf9a2176dcdc5d9
a5388ffee5b8dc422ed166a44d273f3c6be76db2d11f0f29fa99adbd1322c1d8
62214ccdcb1052b518e6059060daec143430c1ae13a799873ebabea7f3eae217
d23c897e7bb23a6a525d1206dc792f0b81c34b4cce433614c08ce87aecd247fe
5307fa1aab7d32a53a30cac7cfaf67d1b63f1290138ecd034e8786c7ae8fce7a
60cd9b62641de616e0bbf132a67ad61f84cbd3f47d137eb2f8ff3cf18dc964b3
e5093e304a50d34cdf67ee8e49713c6131d6740e664ea49d9c98682336e3141a
5892132ecc04f842a737f31c0ecc31d47e309b4152e657f0f0a7b3fcbc38e1f7
53ee96d2a89b492d3f383221ba0251d9a500f6f034d7e1d7a81ed619a0a84123
a22c3de1f3a27b49f801e8873d1391bf3addb801c1e25612e035f62b26828bbf
13a4369efe0744407d789bdc3555230c6793156eaa7707972ced82d545da7baa
76ee12b461756426c181298447c0edc3badae933b9f221e4e61bbb122fb4d1c2
e56e1200606a69b07f4d1ad086229292852b6dc3ea0d377721ae739a4a75bf4b
da5c60755394828da5a49a3e60083a88bcf80331f9ee5a0acd821439a40c22ea
fda0539c99eae4a76b05c78c5dbd0250677f6ab1293c045b3e37d384daf0b0d3
c160ca289081911e7ef4fff116341a6ce5bc7a2901dc151de533aec85a9d1c35
372b62ef86e32bcc36904e3dc79fbea27f31bf43823706e28cbc95554ba39ce2
Domains
majul.com
e8960.b.akamaiedge.net
qxq.ddns.net
isns.net
elx01.knas.systems
pluto.iziis.ukim.edu.mk
www.whatismyipaddress.com
hunterdekaron.net
bb-sandonato.com
www.planiligue.com
www.whatsmyip.net
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Troldesh ransomware?

Troldesh, also known as Encoder.858, is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim's machine and demands a ransom for the data to be restored.

Attempting to get as much information as possible, the malware also scans the target PC for banking files or banking programs to squeeze every last penny.

General description of Troldesh

Attacking Windows users mainly in Russia, Ukraine, and Germany, Troldesh is one of Russia's most commonly used encryption software.

In addition to this behavior, Troldesh ransomware often comes in conjunction with two particular malware samples, namely Mexar, and Teamspy, which allows attackers to control the victim's PC remotely and gives the virus the ability to install other malware, including trojans on the infecting PC.

In fact, unlike most other ransomware Nemty or others, this virus does not stop executing after encrypting the victim's files. Instead, it starts an infinite loop where it requests URLs of other malicious programs from the command server, downloading and installing them on a contaminated machine. This strategy means that most victims contaminated with Troldesh may end up with a whole host of infections on their PC. And even with removal tools and decryptors, it can be challenging to get rid of this issue.

Even though the malware itself has not evolved a lot throughout its lifespan, attackers' method to demand the ransom has changed. The first malware samples were used to provide an email address at which the victim could contact the hackers and negotiate the payment. In newer campaigns, ransom node demands victims to use the Tor browser to navigate to a payment page that is located on the Dark Web.

Trodlesh, as part of the Shade family, shares several familiarities with related malware: they are written in C++, utilize CTL, use a static link with a Tor client. Every particular malware sample also has a hardcoded URL of the command server. Malicious programs of this family are also known to exhibit similar or identical behavior. As such, they create ten identical ransom notes in two languages – Russian and English and name them README1.txt or README10.txt.

Troldesh malware analysis

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Troldesh malware in a lot of detail.

process graph of a troldesh ransomware execution Figure 1: Process graph generated by ANY.RUN helps us visualize the life cycle of the virus

Troldesh execution process

Troldesh ransomware is spread in the form of a script file, either Javascript or JScript. Usually, these files are packed in an archive file that is sometimes protected with a password. In the simulation performed on ANY.RUN, after a script file was unpacked and launched, it installed an executable file from the internet. It should be noted that in the case of Troldesh, executable files typically have "not suspicious" extensions along with the likes of .jpg. After being downloaded, the files are renamed and executed.

As shown in the ANY.RUN simulation, after running, the file immediately began performing the malicious activity, namely: encrypting files, stealing personal data, deleting shadow copies, and changing autorun values in the registry. Files encrypted by the latest versions of Troldesh are known to have a .crypted000007 extension which was also the case in our simulation. Lastly, after encryption was completed, the malicious executable file dropped ransomware instructions on the desktop.

process tree of a troldesh ransomware execution Figure 2: Process tree of a Troldesh ransomware execution

How to avoid infection by Troldesh?

Since Troldesh is commonly distributed using malspam campaigns that mimic real company newsletters, a good way of staying safe is thoroughly checking for the authenticity of emails before downloading any attachments. If necessary, one can get in touch with a company that is the presumable author of the newsletter and verify that they have sent the email.

Once infected, Troldesh installs several secondary malware samples on the victim's PC, thus after Troldesh removal – malware deletes itself from the PC, it is vital to conduct a global system scan and make sure that one's machine is not swarming with other viruses as well.

Distribution of Troldesh

Troldesh ransomware is known to utilize two main attack vectors – email spam and exploit kits. Malspam campaigns usually mimic legitimate information newsletters from actual Russian companies, including banks and large supermarket chains. The emails themselves contain an archive file in which another script file is included.

Upon unpacking the archive and clicking on the file, a malicious loader is installed. It in turn downloads and installs the main payload – Troldesh itself. The loader is known to be stored on legitimate but compromised WordPress websites where it is hidden as an image file.

Troldesh is also known to utilize Axpergle and Nuclear exploit kits, and these attacks are, arguably, more dangerous than email spam as they don't require active actions from the user for the contamination process to begin. Instead, upon visiting a compromised URL, which can be a website hosted by the attackers or a legitimate website that has been hacked, the malware utilizes a vulnerability either in the browser itself or in one of the browser plugins, successfully penetrating into the users PC and starting the execution automatically. Thus, victims can get infected without ever realizing the danger, so get a removal program and a decryptor.

Communication with C&C

Address information of C&C servers is embedded in the body of each malware sample. Servers themselves are hosted on the dark web and communication is established with the use of a Tor client.

Once installed on a victim's PC, the malware requests a public key value from the server to encrypt the victim's files. Should the connection attempt fail, the virus uses one of one hundred private key values stored in its memory.

How to detect Troldesh using ANY.RUN?

Since Troldesh ransomware writes into the registry analysts can detect it by looking at registry keys. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a value "906D0F2E2F604F839E04" with the name "xi" into the key HKLM\SOFTWARE\System32\Configuration it's Troldesh.

Registry changes created by Troldesh Figure 3: Registry changes created by Troldesh

Conclusion

Troldesh is an extremely dangerous ransomware that is able to contaminate victims who simply end up browsing to the wrong place at the wrong time, ending up on a website hacked by the attackers. Unlike much other ransomware that simply demands money in exchange for user's encrypted data, Troldesh doesn't stop there and goes the extra mile to spread other dangerous malware samples on a victim's PC.

Utilizing analysis services like ANY.RUN is a great way to examine the virus from a safe environment and develop a sufficient defense strategy.

P.S.

On the 27th of April, 2020 authors behind Troldesh ransomware announced that they stopped distribution of the ransomware and publish the decryption keys with a decryptor and instructions. They said that apologize to all the victims of the trojan and hope that the keys they published will help them to recover their data. The same scenario had a couple of other ransomware writers, even the infamous Maze.

You can take a look at the task in which their keys and tool were used to decrypt data.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy